OS: Ubuntu 14.04 - MS Azure Password Sync to Office 365. When I start the sync in samba log appears a kerberos WRONG PARAM Error and Azure is logging the following: Password synchronization failed for domain: domain.com. Details: Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: RPC Error 1728 : A remote procedure call (RPC) protocol error occurred. Error creating DRS context handle. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection() at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect() at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0() at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry(Action operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection() at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext) Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: RPC Error 1728 : A remote procedure call (RPC) protocol error occurred. Error creating DRS context handle. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection() at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect() at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0() at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry(Action operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection() at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext) Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: RPC Error 1728 : A remote procedure call (RPC) protocol error occurred. Error creating DRS context handle. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection() at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect() at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0() at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry(Action operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection() at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Hi, I am experiencing the same problem when using DirSync with Azure/Office 365. I am currently running Samba 4.2.1 compiled from source. Are we missing some RPC calls to have this working in Samba? Password synchronization failed for domain: domain.com. Details: Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 1727 : The remote procedure call failed and did not execute. Error creating DRS context handle. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection() at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect() at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0() at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection() at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext) Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 1727 : The remote procedure call failed and did not execute. Error creating DRS context handle. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection() at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect() at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0() at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection() at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext) Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 1727 : The remote procedure call failed and did not execute. Error creating DRS context handle. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection() at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect() at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0() at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection) at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection() at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext) .
Same problem with a uptodate samba on a archlinux box. What is needed to get ad azure sync working on samba? Best regard Torsten Fohrer
The new AAD Connect gives me the following error: Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName) at Microsoft.Online.PasswordSynchronization.RecoveryTask.<>c__DisplayClass9.<RetrieveObjectChangesFromAD>b__3(IDrsConnection c) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.RecoveryTask.RetrieveObjectChangesFromAD(List`1 retryObjects) at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext) Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName) at Microsoft.Online.PasswordSynchronization.RecoveryTask.<>c__DisplayClass9.<RetrieveObjectChangesFromAD>b__3(IDrsConnection c) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.RecoveryTask.RetrieveObjectChangesFromAD(List`1 retryObjects) at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() --- End of inner exception stack trace --- at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext) .
Please retry with Samba 4.5, as we fixed ReplicateSingleObject for that release.
The same bug in version 4.5.0.
I know this bug has been open for a long time, but Password Hash Synchronization in Azure AD Connect is still broken. AADConnect event logging shows the following: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges. In Windows Server AD environments, this error is usually caused by missing Replicating Directory Changes / Replicating Directory Changes All permissions on the AAD sync service account, which is not the case here. Setting the AADConnect Sign On method as Pass-through authentication instead is a usable workaround (where sign-in requests are passed back down to the DC instead of using the synced Password Hash in AAD). Password Hash Sync is preferable, since it would continue to provide sign on services if either the DC or the server hosting AADConnect went down. OS: Zentyal Server Development Edition 6.1 (Based on Ubuntu) Samba: 4.7 (Version included with distribution) Looking up this issue online in various threads, Samba 4.8 is the latest version I've heard people report on this issue with. Please let me know if I can provide more information regarding this. I am assuming this issue still exists as of Samba 4.12, as I didn't see anything related in the change logs, but I haven't been able to test.
Created attachment 15842 [details] Event ID 611 Log I thought I'd shove this in a text file instead of taking up more thread space.
(In reply to Khader Welaye from comment #6) Testing with a modern version would be the first step towards getting any resolution here.
Using the microsoftś latest method "Azure AD Connect cloud provisioning" (Preview) with 4.12.8-SerNet-Debian-8.buster, we are getting this: An on-premises agent reported errors in attempting to read the entry with this identifier: faa071f5-5924-4cd3-8f8e-0afc599b919b. [2020-10-17T09:48:20.8040421Z](92) Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName) at Microsoft.Online.PasswordSynchronization.PasswordEnumerator.<>c__DisplayClass8_1.<RetrieveSingleObject>b__0() at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.PasswordEnumerator.RetrieveSingleObject(Guid objectGuid, String distinguishedName) at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryProvider.TryFetchPasswordDataForSingleObject(Guid objectGuid, Func`2 translationFunction, Resource& resource) at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryProvider.AggregatePasswords(Guid objectGuid, IList`1 aggregate) Next I will try to to get a level 10 debug log from this DC while this error occurs.
Another observation: samba is running with continuous high CPU usage (50-60%) while the Azure AD Connect cloud provisioning server is running. We shutdown the server, and CPU usage returns to normal (below 10%)
We've recently looked into this and the problem is that the Azure sync client is not able to replecate ceratin secret attributes including the passwords. The reason for this is that basically the Samba DRSR RPC service doesn't correctly honor directory ACLs that would grant the required rights, instead it restricts the right to connected (RO)DCs. To fix this someone has to dig into this and implement the correct security checks. I have a WIP patch but it's going to take at least a week or two of effort to write tests that teach us the correct behaviour of a Windows DC and then implement this in Samba.
(In reply to Ralph Böhme from comment #11) Fwiw, using an account who's member of domain admins will also work.
Really are you sure? We are running with a domain admin account configured in the Azure AD Connect cloud provisioning, and we're getting: An on-premises agent reported errors in attempting to read the entry with this identifier: ce41b509-746c-45b1-8886-4f203c60. [2020-10-18T12:47:01.9891903Z](28) Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges
(In reply to heupink from comment #13) Hm, this looks totally different from what we've been seeing in very specific test setup with a Windows 2008R2 DC (at schema level 2012) and a Samba DC.
I understand correctly that you ran your azure sync *ON* that Windows 2008R2 DC? Reading the microsoft docs, I understand this is not required. We are testing with a windows 2016 (domain member) server, NOT a DC.
(In reply to heupink from comment #15) No, this was the DC we replicated from. This was used in an deliberate attempt to be able to compare replication between comparable Windows and Samba DCs, both being at at the same schema and functional level asf. The Azure sync client was installed on a Win 10 box iirc.
heupink: I think you are reporting a problem here that the initial bug report was not about. You mentioned "Azure AD Connect cloud provisioning (Preview)". Do you agree, that this is a different topic? If yes, please keep this bug report on the topic it was about. If you have a different issue with a new Azure software, please file a new bug.
I considered this ticket to be on password hash synchronisation to Azure / O365. Through the years microsoft had different tools to do this job, the latest one being "cloud provisioning" server. And actually: I think the tool that the ticket originally was about (DirSync) is no longer supported by microsoft. But all these tools seemed to run into the same/similar issue: RPC Error 8420 : The naming context could not be found. Therefore I assumed that our finding are the same, or at least related or relevant. On the mailinglist there seem to be very few (if any, recent) success-stories. However, reading Ralph Böhme's comments, it seems that perhaps it *is* supposed to work after all. So for now, I will start by putting more efforts into making it work here. Perhaps I'll first also test with a native microsoft AD DC.
(In reply to Ralph Böhme from comment #12) I just tried installing the (traditional, older style) Azure AD Connect with an account from the "domain admins" group, and it seems that is no longer supported: https://docs.microsoft.com/nl-nl/azure/active-directory/hybrid/reference-connect-accounts-permissions: "As of build 1.4.###.# it is no longer supported to use an enterprise admin or a domain admin account as the AD DS Connector account. If you attempt to enter an account that is an enterprise admin or domain admin when specifying use existing account, you will receive an error." They installer will instead offer to create an account for you, and that is probably where this samba limitation becomes problematic: "DRSR RPC service doesn't correctly honor directory ACLs that would grant the required rights" (Ralph Böhme in comment #11)
(In reply to heupink from comment #19) You can use any account and make it a member of domain admins.
(In reply to heupink from comment #19) I understand why they do it but is (from a security perspective) making people feel safer than they really are, as a user who can download password hashes (kerberos keys) for servers and krbtgt is a Domain Admin essentially anyway.
I'm working on a fix for the reported GetNCChanges error. There may still be other issues, but this much I will fix.
This bug was referenced in samba master: 2c7bb58703c1fa26782ac6959ea7d81fccf3905c bee45e6b29b97e0cab19a9c3cf692d9a7585a717 a150a2dcb1fc7fc7f606838de17ad4d3e6072bda 3204d1350b21704474e577cb5f3f2439b673c421 70faccae6d595056174af8d63b3437c9fe3805aa 539221dda33f03a1abf5ee5f3153db0fe1a9bfe6 7c43388576f768db564aaf15a47d3f9ce5796fb3 7032b86cd5c1456318558ed95f8890e353117ced d0444be4b74bdad6a731bc5fcf86da6142b03539 0f501b2316af6568003e520848c1ec80c286fd36 8e1122420efd11a91aa1c5d60c0cc8fd9ffaf157 e96dfc74b3ece40fe64a33aa8b8d810b576982bd aee2039e63ceeb5e69a0461fb77e0f18278e4dc4 73f3ece8b2b44ac4b3323a08fb969f29bf2b0380 cbe18353d8d7b2a35b965e4fc8c895ac497e67e8 d5a2af3feae98057ba29de444d308d499d633941 adb776149e5ac0eb346992775610627106e1a986 09ec6a1db2d3b831548bf7d66475c486be29b1d1 115a3a10440f44ba11029be5ae3a05534a7b98c0 1838f349c94b878de1740af35351a2e8e0c8cffb 0f2978bbc0ed5b65d75c20472650a749643312e7
Created attachment 17744 [details] Patch for Samba 4.18 including WHATSNEW
Created attachment 17745 [details] Patch for Samba 4.17 including Release note
Pushed to autobuild-v4-18-test.
This bug was referenced in samba v4-18-test: d0c2305b35af0c39cfababbd2e3c5302047bb6aa 501728cdcfed2289a5f04c66114b06278299966a 11540d828f79db72423550fb610e914579ce3ceb 7712ef7288aae848dee1d4cc4346585cb2405499 a40d3697e1a72d6985ca15a4236fbcc1a1322387 87ed6e23061293c470022152ac0b20a73f5ce022 f70fd3385f331c7430e1e16869cdeba9619a10f0 92f56081291183bb9af084fc9576e6a13ca7eaed 855c11c41460cadc28cfa7562020c2ab19af4958 ab282dba3761d6dc8be3345daf61455571b4b1bf feffb9ec5dfed472b92ba8879e74b19dd0381c55 1a97e897f860e95e3f512fc0ee92b255c7496079 84a952b01eeff32b70d71de48751d7f910bfea64 64df0963f8c8f7e6f203780c5d2dbb61b749a439 613d9b75499822be4a870fd78900922be779a638 29a89f07aa7b167adea921fd583b3b93ae0695f9 dc7497c3a4681c96fdf71e82db1b93e21214cc19 68edd5c1c7f0e6cbd929cd592b79f89cb2c8369f 262fef5acbff53e6a4e8cc654ddf1ce7accc9e20 68fcea19bd03d96f3ecfbcf1cdcaa39097ee401a c9b7fd177d4ec4589712f8acf6f084f650b95a5e
This bug was referenced in samba v4-18-stable (Release samba-4.18.0rc2): d0c2305b35af0c39cfababbd2e3c5302047bb6aa 501728cdcfed2289a5f04c66114b06278299966a 11540d828f79db72423550fb610e914579ce3ceb 7712ef7288aae848dee1d4cc4346585cb2405499 a40d3697e1a72d6985ca15a4236fbcc1a1322387 87ed6e23061293c470022152ac0b20a73f5ce022 f70fd3385f331c7430e1e16869cdeba9619a10f0 92f56081291183bb9af084fc9576e6a13ca7eaed 855c11c41460cadc28cfa7562020c2ab19af4958 ab282dba3761d6dc8be3345daf61455571b4b1bf feffb9ec5dfed472b92ba8879e74b19dd0381c55 1a97e897f860e95e3f512fc0ee92b255c7496079 84a952b01eeff32b70d71de48751d7f910bfea64 64df0963f8c8f7e6f203780c5d2dbb61b749a439 613d9b75499822be4a870fd78900922be779a638 29a89f07aa7b167adea921fd583b3b93ae0695f9 dc7497c3a4681c96fdf71e82db1b93e21214cc19 68edd5c1c7f0e6cbd929cd592b79f89cb2c8369f 262fef5acbff53e6a4e8cc654ddf1ce7accc9e20 68fcea19bd03d96f3ecfbcf1cdcaa39097ee401a c9b7fd177d4ec4589712f8acf6f084f650b95a5e
(In reply to Andrew Bartlett from comment #25) Sorry for any confusion, this is the 4.17 patch.
(In reply to Andrew Bartlett from comment #29) Pushed to autobuild-v4-17-test :-)
This bug was referenced in samba v4-17-test: 00d1f6223f2b13c46d061c58ab944f4459c4eed0 a81be07598363ce778482eeecd429c83278dd936 2cb965046b88a7755369dd5c48809d7c76929d7e b0bbea3fdcdbca0629cbb2f12b5378b8ba7ac423 fcc25f6baf8be5b0c9171a7f4e3ac87f66532c67 f6ebb660e545caad452620394debbc12547bba71 fedd276dbf1f792fe27eed6165b21aea4764718d 24adeb3ad11c693aefbbea25570527cc87cd977d 4413c277ef09dfba6d9d69bfa2886402bcc5c369 deac11ab428b73a712da15f55be135f2741be14d 96adf5afc01ee07f2b9ecd2415c6bda5d7e1ff1a 85cc464195bf9cf70159d113f33582af02ac6614 7c32d3d75aa31b868527d992e08e8d63fc76faac 764702f788c3b59d1f9b21a8deec4fe37f680c1a a78c2094ff503b775688dd46dc48ccf8f0934f09 bcb89bd81d4e51fbd06e205816e0b891dc0c1889 fba94e5d50433e8869e72d0ae2bb68fa2abab03e be0cb18920243a422fe5bd77bb9ce241e71b4b62 dee9067386531241846680e50dc892cc906b0a07 c7658589fa53a7905678361409341a916b0d41f5 cee7ecee5caea78beae099cbde4f34c7c0c663b7
Closing out bug report. Thanks!
This bug was referenced in samba v4-17-stable (Release samba-4.17.6): 00d1f6223f2b13c46d061c58ab944f4459c4eed0 a81be07598363ce778482eeecd429c83278dd936 2cb965046b88a7755369dd5c48809d7c76929d7e b0bbea3fdcdbca0629cbb2f12b5378b8ba7ac423 fcc25f6baf8be5b0c9171a7f4e3ac87f66532c67 f6ebb660e545caad452620394debbc12547bba71 fedd276dbf1f792fe27eed6165b21aea4764718d 24adeb3ad11c693aefbbea25570527cc87cd977d 4413c277ef09dfba6d9d69bfa2886402bcc5c369 deac11ab428b73a712da15f55be135f2741be14d 96adf5afc01ee07f2b9ecd2415c6bda5d7e1ff1a 85cc464195bf9cf70159d113f33582af02ac6614 7c32d3d75aa31b868527d992e08e8d63fc76faac 764702f788c3b59d1f9b21a8deec4fe37f680c1a a78c2094ff503b775688dd46dc48ccf8f0934f09 bcb89bd81d4e51fbd06e205816e0b891dc0c1889 fba94e5d50433e8869e72d0ae2bb68fa2abab03e be0cb18920243a422fe5bd77bb9ce241e71b4b62 dee9067386531241846680e50dc892cc906b0a07 c7658589fa53a7905678361409341a916b0d41f5 cee7ecee5caea78beae099cbde4f34c7c0c663b7